from the ETERNALPWNAGE dept

Leaked NSA exploits have now been the basis for two massive cyberattacks. The first -- Wannacry -- caught hospitals and other critical infrastructure across several nations in the crossfire, using a tool built on the NSA's ETERNALBLUE exploit backbone. The second seems to be targeting Ukraine, causing the same sort of havoc but with a couple of particularly nasty twists.

It soon became apparent it didn't matter what Posteo did, no matter how clueless or ill-advised. There was no retrieving files even if ransoms were paid. Two separate sets of security researchers examined the so-called ransomware and discovered Petya is actually a wiper. Once infected, victims' files are as good as gone. No amount of bitcoin is going to reverse the inevitable. The ransomware notices were only there to draw attention to the infection and away from the malware's true purpose.

Both cases are considered to be attacks by nation states. Inconsistently-applied patches -- most of them released with zero information by Microsoft -- have led to an insane amount of damage.

Through it all, the NSA -- whose tools were leaked -- has remained consistently silent. There's been no indication if the agency is working to mitigate the ongoing threat or whether it's far more concerned with discovering who left behind the malware toolkit first exposed by the ShadowBrokers.

It's unlikely we'll hear much being said publicly by the agency, but Rep. Ted Lieu has sent a letter to NSA chief Mike Rogers demanding answers. The letter [PDF] points out both attacks have been based on NSA exploits (ETERNALBLUE and ETERNALROMANCE). Lieu also states he fears the attacks seen in the past few weeks are only the "tip of the iceberg." The agency's refusal to discuss the attacks apparently isn't going to fly anymore.

Lieu makes two requests: the first is for the agency to see if it has some sort of magic "OFF" switch just laying around.

My first and urgent request is that if the NSA knows how to stop this global malware attack, or has information that can help step the attack, NSA should immediately disclose it. If the NSA has a kill switch for this new malware attack, the NSA should deploy it now.

It's far more likely the NSA has information it would rather not share than it is the agency has a way to shut down this attack, much less prevent future variations on its ETERNAL theme. But that's directly related to the second part of Lieu's request: work with companies whose software is being exploited to prevent further attacks. If the NSA still has security holes it's hoping won't be patched anytime soon, the current situation would seem to call for a rethink of its exploit-hoarding M.O.

What may be in order is the NSA stepping up and playing defense. It has stated a desire to be a larger cog in the US cyberwar machinery, but often seems more interested in playing offense than pitching in to help on the defensive end. That may need to change quickly if the NSA isn't going to be seen as more of a problem than a solution.

from the adding-hay-to-the-stack-makes-it-harder-to-find-the-needles dept

Soon after the attack in Manchester, the UK government went back to its "encrypted communications are the problem" script, which it has rolled out repeatedly in the past. But it has now emerged that the suicide bomber was not only known to the authorities, but that members of the public had repeatedly warned about his terrorist sympathies, as the Telegraph reports:

Counter Terrorism agencies were facing questions after it emerged Salman Abedi told friends that "being a suicide bomber was okay", prompting them to call the Government's anti-terrorism hotline.

Sources suggest that authorities were informed of the danger posed by Abedi on at least five separate occasions in the five years prior to the attack on Monday night.

London attack ringleader Khuram Butt was identified as a major potential threat, leading to an investigation that started in 2015, UK counterterrorism sources tell CNN.

…

Butt was seen as a heavyweight figure in al-Muhajiroun, whose hardline views made him potentially one of the most dangerous extremists in the UK, the sources said Tuesday. The investigation into Butt involved a "full package" of investigatory measures, the sources told CNN.

Butt was filmed in a 2016 documentary with the self-explanatory title "The Jihadis Next Door", in which a black flag associated with ISIS was publicly unfurled in London's Regent’s Park. Even though police were present during the filming, they did not follow up that incident, according to the Guardian:

Police did not make a formal request for footage or information from the makers of a Channel 4 documentary that featured Khuram Butt, one of the London Bridge attackers.

The broadcaster of The Jihadis Next Door said no police requests were made for film or programme maker's notes to be handed over under the Police and Criminal Evidence Act or Terrorism Act.

An Italian prosecutor who led an investigation into the London Bridge attacker Youssef Zaghba has insisted that Italian officials did send their UK counterparts a written warning about the risk he posed last year and monitored him constantly while he was in Italy.

Giuseppe Amato, the chief prosecutor in Bologna, who investigated Zaghba when he tried to travel from Italy to join Islamic State in Syria in March 2016, told the Guardian that information about the risk he posed was shared with officials in the UK.

Amato added that he personally saw a report that had been sent to London by the chief counter-terrorism official in Bologna about the Moroccan-born Italian citizen.

Manchester and London are not the only cases where the authorities were informed in advance about individuals. A 2015 article in The Intercept looked at ten high-profile terrorist attacks around the world, and found that in every single case, at least some of the perpetrators were already known to the authorities. Strong encryption is not the problem: it is the inability of the authorities to act on the information they have that is the problem. That's not to suggest that the intelligence services and police were incompetent, or that there were serious lapses. It's more a reflection of the fact that far from lacking vital information because of end-to-end encryption, say, the authorities have so much information that they are forced to prioritize their scarce resources, and sometimes they pursue the wrong leads and miss threats.

We wrote about this problem back in 2014, when an FBI whistleblower confirmed what many have been trying to explain to governments keen to extend their surveillance powers: that when you are looking for a needle, adding more hay to the stack makes things worse, not better. What is needed is less mass surveillance, and a more targeted approach. Until Theresa May and leaders around the world understand and act on that, it is likely that more attacks will occur, carried out by individuals known to the authorities, and irrespective of whether they use strong crypto or not.

from the business-threats dept

We've already made it clear that we're quite concerned about how freedom of expression will fare under President Trump. He has a long history of threatening and/or suing those who cover him factually, but in a manner he dislikes. And while he hasn't (as far as I can tell) threatened to sue anyone since the election, he appears to have become somewhat obsessed with the NY Times. Since winning the election he's tweeted at least six times about the NY Times, insisting (incorrectly) that it was losing subscribers and (incorrectly) that it had "apologized" to readers for its Trump coverage. He also claimed (incorrectly) that it had said he hadn't spoken to foreign leaders -- when the actual article just said that his conversations with foreign leaders happened without State Department briefings (which is fairly stunning). Here's what the NY Times said:

One week after Mr. Trump scored an upset victory that took him by surprise, his team was improvising the most basic traditions of assuming power. That included working without official State Department briefing materials in his first conversations with foreign leaders.

But Trump claimed something entirely different:

And, yes, I know that there are some folks who just flat out hate the NY Times and think that it lies and such. And I've certainly complained my fair share about weak or misleading coverage by the NY Times over the years, but it's still problematic when a President or President-elect is directly attacking any publication. It creates serious chilling effects on reporters. And, it can be even worse than that. As Yashar Ali noted in a Twitter thread, attacking a company as "failing" has real consequences, especially one that is traded on the public markets, potentially harming all sorts of everyday investors.

I'm guessing that many who just hate the NY Times won't care about this, but it is serious. There's a reason why Presidents don't go around attacking companies or saying that they're "failing" or that their business is in trouble. Because that has real consequences. I still don't think that journalists should be suing Trump for defamation, as some have suggested, but it would be nice if our President-elect recognized that going around and attacking the press -- even if he disagrees with its coverage -- is entirely inappropriate.

from the delayed-lobotomy dept

We've talked a lot about how while the lack of security in Internet of Things devices was kind of funny at first, it quickly became less funny as the dramatic scope of the problem began to reveal itself. Whether it's cars being taken over from an IP address up to ten miles away, to the rise in massive new DDoS attacks fueled by your not-so-smart home appliances, folks like security expert Bruce Schneier have made it abundantly clear the check is coming due.

That's particularly true in the healthcare field, where hackable pacemakers and ransomware-infected hospital equipment is becoming the norm. In fact, hospitals in England recently had to cancel hundreds of surgeries in order to "isolate and destroy" a virus that was running amok across the hospital's IT systems:

"We have taken the decision, following expert advice, to shut down the majority of our systems so we can isolate and destroy it," the NHS wrote on its website. "All planned operations, outpatient appointments and diagnostic procedures have been canceled for Wednesday, Nov. 2 with a small number of exceptions."

In the kind of transparency that often is the hallmark of these kinds of attacks, the hospital in question (the National Health Service's Northern Lincolnshire and Goole Foundation Trust in the UK) couldn't be bothered to explain the precise nature of the attack. But security expert Brian Krebs notes it's likely part of the growing trend of ransomware attacks on hospitals that cripple administrative and surgical systems until the hospital is willing to pay a bitcoin ransom:

"Earlier this year, experts began noticing that cybercriminals were using ransomware to target hospitals — organizations that are heavily reliant on instant access to patient records. In March 2016, Henderson, Ky.-based Methodist Hospital shut down its computer systems after an infection from the Locky strain of ransomware. Just weeks before that attack, a California hospital that was similarly besieged with ransomware paid a $17,000 ransom to get its files back.

According to a recent report by Intel Security, the healthcare sector is experiencing over 20 data loss incidents per day related to ransomware attacks. The company said it identified almost $100,000 in payments from hospital ransomware victims to specific bitcoin accounts so far in 2016.

Twenty data loss incidents...per day, many of which aren't disclosed and have an exponential impact on human lives and privacy. Ultimately, as other researchers have noted, it's inevitable that as not-particularly-smart devices gain market share around the world, we'll begin to see more and more attacks on vital infrastructure. Another reason why before we get busy offensively waging the cyber, we need to make damn sure existing infrastructure is protected.

from the take-your-pick dept

As you know, last week, large chunks of the internet spent hours writhing on the ground and totally inaccessible thanks to a giant DDoS attack that appears to have been launched via a botnet involving insecure DVR hardware (which can't be patched -- but that's another post for later). Of course, whenever this kind of thing happens, you know that some people on the politics side of things are going to come up with dumb responses, but there were some real whoppers on Friday. I'm going to focus on just two, because I honestly can't decide which one of these is dumber. I'll discuss each of them, and then you guys can vote and let us know: which of these is dumber.

On Friday she went on CNN to discuss a variety of things, and the first question from Wolf Blitzer was about the DDoS attacks, and her answer is the sort of nonsense word salad that is becoming all too common in politics these days, but where she appears to suggest that if we'd passed SOPA this kind of attack wouldn't have happened. She's not just wrong, she's incredibly clueless.

Here's what she said:

Wolf, you don't know who is behind this, you do not know if it's foreign or domestic. What I do know is over the years we have tried to pass a data security legislation. There's been bipartisan agreement in the House. It has not moved forward in the Senate. We also know that a few years ago we tried to do a bill called SOPA in the House which would require the ISPs to do some governance on these networks and to block some of the bad actors.

And of course, there were all of the cyberbots that took out after us that were trying to say 'no you can't do that you're going to impede our free speech.' We said 'no we're trying to keep the roadway clear and to keep some of these bad actors out of the system.'

So, what you have now, whether it is foreign or domestic, no one knows. No one knows who has released some ransomware, spyware, malware into the system that is cau... and bear in mind also this malware can live on your system for a year or much longer before it is detected.

And that is how you've had some of these extensive data breaches because the malware gets into the system, it rests there, it is pulling information and at some point, it activates. And as I tell my constituents, be careful what websites you go to, be careful what emails you open because you may be unintendedly inviting that malware or spyware into your system.

Okay, so. Almost nothing that is said above has anything to do with the DDoS attack. Not at all. Not the "data protection" bill, which is basically about requiring companies to reveal breaches to those impacted. But most certainly not SOPA, which had nothing whatsoever to do with anything having to do with cybersecurity or online attacks or DDoS. And "cyberbots"? Is she implying that the millions of people who spoke out against SOPA were some sort of fake bots? SOPA wouldn't have done anything to stop this kind of attack at all. It had nothing to do with this issue in any way shape or form. Not that Wolf Blitzer seems to know or care about any of that as he just accepts that answer and moves on.

So that's the first dumb response. Now the second: the IANA transition. We've been discussing this for years, and as we've explained, the transition is a good thing in taking an argument away from countries like Russia and China who have been trying to get more control over internet governance, by dropping an almost entirely superficial connection between the fairly minor IANA function and the US Commerce Dept. The transition happened a few weeks ago and nothing on the internet has changed, nor will it, because of this transition. It's a non-story. But, Ted Cruz tried to make it a story and now it's become a partisan thing for no good reason at all. And thus, given an opportunity, partisan sites are blaming the IANA transition for the DDoS:

Today there was a major attack on a part of the Internet that few people pay any attention to. It’s critically important though, and any disruption threatens both our prosperity as Americans, but also our freedom to communicate with each other.

This is a great reminder of why President Obama’s Internet handover plans are so threatening to our way of life.

Probable foreign attackers effectively took thousands of companies off of the Internet today by attacking a major Domain Name Service (DNS) provider: Dyn. This two-hour outage surely cost many people, very much money.

What is DNS, and why is it so important? Put simply, DNS is the system that tells people how to find you online. It converts the names of servers and sites, into numbers that the Internet Protocol can find. It’s an essential service of the commercial Internet.

And yet Barack Obama is trying to hand control of DNS over to the Chinese and the Russians. Ted Cruz has been warning people about this, and so have I. People tend to tune it out, because it sounds like a very technical, obscure issue that isn’t very important.

Well, first of all, newsflash: the transition happened three weeks ago, and Neil Stevens at Red State is so concerned about this he didn't even notice. Damn. Sneaky Obama. Second, the hand over of the IANA functions has absolutely nothing to do with a DDoS attack or what it would take to prevent it. Yes, there are some ridiculous aspects to the DNS system, some of which are managed by ICANN. But (1) the IANA transition has nothing to do with "handing control" over to the Chinese or Russians (in fact, it's the opposite -- it takes a big argument away from the Russians and Chinese that they had been using to try to seize more control, and actually makes it much more difficult for them to take control by making sure nationstates actually have very little say in internet governance). And (2) the IANA transition has fuck all to do with DDoS attacks.

Both of these examples seem to be completely clueless, technically illiterate people using real problems (the fragility of DNS systems, the massive unsecured bot-infested systems out there, the ease of taking down important systems, overly centralized critical systems), and using them to pitch some entirely separate personal pet complaint or project. But both are completely ignorant. The only question is which one is worse:

from the because-of-course dept

The script for what to do following a tragedy like the one in Orlando over the weekend is now quite clear: politicians want to appear "serious" about the issue, and thus they say stuff to appease people, even if what they say makes no sense. There was a lot of senseless rhetoric going around, of course, and we'll leave the usual debates about issues we don't cover on Techdirt to lots of other sites. But an issue we do cover is surveillance and bogus ideas like "watch lists" where a mere accusation leads to basic rights being taken away. And, unfortunately, it appears that both major Presidential candidates are advocating for greater surveillance and denial of civil liberties as a response to someone shooting up a nightclub and killing dozens of people.

Clinton's plan? Expand the "terrorist watch lists" despite the fact that there are hundreds of thousands of people who appear to be on the list for no reason at all, and whose lives are basically a living hell because of it. No matter, Clinton says let's expand it:

"We need to look carefully at this," she said. "Should we have a broader database? If someone comes to the attention of the FBI not once, but three times, that suggests that law enforcement needs to know, that people need to be more aware."

Meanwhile, Trump, beyond the much publicized and repeated plan to stop anyone who is a Muslim from immigrating to the country (even though the shooter was born here), also encouraged a much broader version of the already idiotic "see something, say something" campaign:

He also said Americans need to be willing to call the authorities when they see friends, family and neighbors performing suspicious activities.

We must grieve and mourn and support each other, but in our grief and outrage we must resist any temptations to let this attack – or any attack – trigger anti-Muslim foreign policy, attacks on our civil liberties or as an excuse to descend into xenophobia and Islamophobia.

However, an attack like this is carefully planned and executed to maximize attention by inflaming the passions of a helpless public. Because of this, the response can be more dangerous than the attack. The refrains of “safety and security” have, for many years, been used as a tool by the powerful to justify curtailing civil liberties and emboldening backlash against immigrants, Muslim people and others.

Not for the first time, someone locked up on a questionable basis is making a lot more sense, and sounding a lot closer to the ideals of America, than either of people running to lead the country.

from the but-ban-encryption! dept

As the push to backdoor or ban encryption heats up, kneejerk politicians have rushed to embrace each and every recent attack and to immediately point fingers at encryption. Right after the Paris attacks, politicians started blaming encryption, even though evidence suggested they communicated by unencrypted SMS. Even months later, the press was ridiculously using the total lack of evidence of any encryption... as evidence of encryption. Then with the Brussels attacks from a few weeks ago politicians like Rep. Adam Schiff immediately tried to blame encryption insisting that "we can be sure that terrorists will continue to use what they perceive to be the most secure means to plot their attacks."

Of course, now it's being reported that a laptop seized from one of the suicide bombers in Brussels shows little attempt to actually hide plans of attacks. In fact, it showed that attack plans were kept in an unencrypted folder titled "Target." And the only attempt to "hide" it was that the computer had been thrown in the trash.

The bomber referred to striking Britain, the La Defense business district in Paris, and the ultra-conservative Catholic organisation, Civitas, in a folder titled “Target,” written in English, according to the source.

The laptop was found in the trash by police in Brussels shortly after the suicide bombings on March 22 that killed 32 people at the city’s airport and on a Metro train.

I'm wondering if Rep. Adam Schiff will now talk about the need to ban "folders" in operating systems?

from the psychology-of-security dept

The knee-jerk response of politicians to terrorist attacks -- calling for more surveillance, more crackdowns, more displays of purposeless force -- is by now so routine that we don't even remark on it. We tend to go along with their plans because we are very poor at estimating risks, and thus often end up making bad decisions about trade-offs -- specifically, trading off liberty in the (misguided) hope that it will deliver security. That's not a new insight -- Bruce Schneier wrote two fascinating posts on what he called "The Psychology of Security" as far back as 2008. But maybe it's time to start challenging a strategy that hasn't worked, doesn't work and will never work. Maybe we should start pushing for an alternative response to terrorist attacks -- one based on logic and the facts, not rhetoric and fear. That's exactly what Björn Brembs, Professor of Neurogenetics at Regensburg University in Germany, has done in a short blog post about a more rational approach that avoids bad trade-offs. As he writes:

It is very difficult to prevent casualties such as those in the recent terror attacks in Madrid, London, Paris, Brussels or elsewhere, without violating basic human rights and abandoning hard-won liberties.

So what might we do instead? Brembs suggests a new kind of "death prevention program." Not one based on futile attempts to stop every terrorist attack, but a compensatory plan to save far more lives than terrorists ever take:

There are ~1.2 [million] preventable deaths in Europe alone every year. These deaths are due to causes such as lung cancer, accidental injuries, alcohol related diseases, suicides and self-inflicted injuries. With even in the 1970s and 1980s terrorist-related fatalities never exceeding 500 per year, we are confident that we will be able, from now on, to save at least 100 lives for every one that is being taken in a terrorist attack.

To reach this ambitious goal, we will start with increasing our efforts to prevent alcohol and tobacco-related deaths through effective public-health intervention programs as well as basic and applied biomedical research into the prevention, causes and treatment of these diseases and disorders. With about 30,000 annual fatalities in traffic-related accidents, we will also introduce European-wide speed limits, strong enforcement via speed-traps and an increased police force which collaborates across Europe. Drivers convicted of violating speed limits or DUI will have their driver's licenses withdrawn for extended periods of time. Should these activities fail to reach these goals, we will start targeting more areas.

Although it could be argued that some of those measures are themselves restrictions on freedom (and things like speed traps haven't been shown to make the roads any safer), against the background of today's harsh anti-terror laws, and plans for even more surveillance -- the UK's Snooper's Charter, for example -- those don't look as bad. In any case, implementation details are less important than shifting emphasis to this very different approach. The idea of focusing on stopping preventable deaths caused by known factors, rather than chasing after unpredictable events is a good one. Moreover, as Brembs writes, a "death prevention program" would not only preserve basic human rights and civil liberties better than today's response, it would also benefit the economy and boost employment:

Our investment in basic and applied research will yield discoveries that will benefit all of humanity long after the last terrorist has sacrificed his life in vain. With our new program, every single terrorist attack will save the lives of countless more citizens than it has cost, turning terrorism into a net life-saving activity.

That, surely, is the way to truly defeat the terrorists -- rather than handing them an easy victory by accepting disproportionate measures that destroy the very freedoms politicians claim to defend.

from the it's-almost-like-you-have-an-agenda... dept

You may remember that, right after the Paris attacks late last year, politicians rushed in to demonize encryption as the culprit, and to demand backdooring encryption before the blood was even dry. Of course, it later turned out that there was no evidence that they used encryption at all, but rather it appears that they communicated by unencrypted means. Just yesterday, we noted that the press was still insisting encryption was used, and using the lack of any evidence as evidence for the fact they must have used encryption (hint: that's not how encryption works...).

So, it should hardly be a surprise that following this morning's tragic attacks in Brussels that have left dozens dead and many more injured, that encryption haters, based on absolutely nothing, have rushed in to attack encryption again. The first up was Rep. Adam Schiff, who quickly insisted that he had no actual facts on the matter, but we should be concerned about encryption:

“We do not know yet what role, if any, encrypted communications played in these attacks,” Rep. Adam Schiff (D-Calif.) said in a statement.

“But we can be sure that terrorists will continue to use what they perceive to be the most secure means to plot their attacks,” he added.

Schiff, of course, is the same guy who just a few months ago was loudly promoting CISA, saying we needed it to protect our privacy from hackers. Of course CISA doesn't do that. You know what does? Encryption. The very encryption Schiff now wants to blame.

Not one to be left out, Senator Dianne Feinstein jumped in with a thinly veiled statement in support of her supposedly soon to be released bill, mandating backdoors in encryption:

“We must use all the tools at our disposal to fight back,” Sen. Dianne Feinstein, California Democrat and vice chairwoman of the Senate Intelligence Committee, said in a statement on Tuesday. “The way to prevent attacks like this is to develop good intelligence and always be vigilant.”

"All the tools" likely means including her plans to break encryption.

And, of course, the many in the press are no help at all. There have been reports that a talking head on NPR blamed encryption this morning, while a NY Times reporter, Rukmini Callimachi -- who was the lead reporter on that ridiculous article yesterday insisting that the lack of encryption was evidence of encryption -- is tweeting up a storm claiming that ISIS is now encouraging the use of encryption, even though the questionably-sourced document she links to (which is written in English?!?) isn't actually recommending encryption, but things like Tor and VPNs, which are designed to merely mask your IP address.

It's like she sees encryption in absolutely anything. Meanwhile, as a number of other commenters have pointed out, if "ISIS brothers" actually follow the advice in that document, it will only likely help them get caught, as a sudden and abrupt change in behavior is a pretty good way for law enforcement to make you a suspect. And, really, encouraging people to jump onto tools like Tor that they don't understand, but which they think will keep them safe, almost certainly will lead to ridiculously bad implementations that make it easier to spot what they're doing.

Either way, in the wake of yet another attack we're left with people who don't understand and dislike encryption, rushing to demonize it for no good reason at all.

from the trust-no-one dept

Early last year, Tor suffered a massive attack that compromised the anonymity of its users over a period of at least six months. Soon after, the FBI launched Operation Onymous, which dismantled yet another round of darknet markets and left Tor developers and supporters desperately wondering what went wrong. Last month, Tor then dropped a bit of a bombshell: it claimed the FBI paid researchers at Carnegie Mellon $1 million to conduct a Sybil attack on the network. Running from January to July of 2014, CERT used just $3,000 in hardware to flood the Tor network with additional new relays that then modified Tor protocol headers to do traffic confirmation attacks.

Both the FBI and the university continue to deny the claims, for whatever that's worth:

“The allegation that we paid CMU $1 million is inaccurate,” said a FBI spokesperson.

Meaning, if you're familiar with semantic FBI parlance, that it probably paid a few specific researchers (not the University itself) $999,999.

Regardless, Hill's new report provides a lot more insight into the attack by Tor chief architect Nick Mathewson, who admits it wasn't the developers' finest hour, noting that he originally overlooked the threat because he believed it was too ham-fisted to actually be performed in the wild:

"I don’t think this is the best response we’ve ever done to an attack situation,” said Mathewson by phone... "It didn’t occur to me that they would run the attack in the wild on random users," said Mathewson. “The way the attack was structured, it was a bad attack for anyone to get away with it. Once detected, it was very easy to block. It didn’t seem to me like a deep threat."

Of course, the end result of this oversight was not only the arrests and darknet site closures from Operation Onymous, but Operation Shrouded Horizon -- which targeted the Darkode black marketplace. And the markets are still reeling. Though it's always hard to differentiate an exit scam (where the site just runs away with the money held in escrow) from security concerns, numerous markets (like Middle Earth Marketplace) recently went offline claiming they're trying to implement upgrades that will make their drug bazaars more secure.

But Mathewson is quick to make the obvious point that while these arrests primarily targeted child pornographers and drug dealers, the attacks targeted everybody. And the use of supposed objective academics as attackers, the lack of warrants, and the lack of institutional oversight by Carnegie Mellon's Institutional Review Board sets a disgusting precedent for the security community:

"There’s an argument that this attack hurts all of the bad users of Tor so it’s a good thing,” said Mathewson. “But this was not a targeted attack going after criminals. This was broad. They were injecting their signals into as much hidden services traffic as they could without determining whether it was legal or illegal." "Civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities,” wrote Dingledine in a Tor blog post, which also questioned whether Carnegie Mellon had gotten approval from an institutional review board, a process that exists to ensure that academics don’t harm human research subjects."

For what it's worth, Mathewson says the Tor team has made numerous code changes to better scan the Tor network for potential threats, and are working on an as-yet unfinished revamp of the hidden services design over the last year. Tor is also working on what Mathewson calls a "new cryptographic trick" that will allow a hidden services directory to send Tor users to a hidden site -- without the directory knowing where it's sending them. The developers have also apparently learned a thing or two about trust, Mathewson stating they're no longer "extending security researchers the benefit of the doubt on anything." Good idea.

The central question of course is whether Tor has the manpower needed to keep such an integral technology operational and secure. Eighty percent of Tor's $2.5 million budget still comes from the government, so Tor is operating a crowdfunding campaign to expand the funding base for obvious reasons. But Tor only has 22 full- and part-time employees, and 10 volunteers and academics who consistently contribute code, which directly contributed to the attack not being taken seriously earlier. As such we're left wondering if Tor can be trusted moving forward and, if not, what comes next for the millions of users that depend on Tor for perfectly-legal anonymous communications?